<?xml version="1.0" encoding="UTF-8"?>
<?xml-model href="https://raw.githubusercontent.com/usnistgov/OSCAL/v1.0.4/xml/schema/oscal_complete_schema.xsd" schematypens="http://www.w3.org/2001/XMLSchema" title="OSCAL complete schema"?>
<profile xmlns="http://csrc.nist.gov/ns/oscal/1.0" uuid="ece2fd2d-87f7-476a-a295-6e1ec8153771">
<metadata>
<title>FedRAMP Rev 5 Tailored Low Impact Software as a Service (LI-SaaS) Baseline</title>
<published>2024-09-24T02:24:00Z</published>
<last-modified>2024-09-24T02:24:00Z</last-modified>
<version>fedramp2.1.0-oscal1.0.4</version>
<oscal-version>1.0.4</oscal-version>
<role id="prepared-by">
<title>Document creator</title>
</role>
<role id="fedramp-pmo">
<title>The FedRAMP Program Management Office (PMO)</title>
<short-name>PMO</short-name>
</role>
<role id="fedramp-jab">
<title>The FedRAMP Joint Authorization Board (JAB)</title>
<short-name>JAB</short-name>
</role>
<party uuid="8cc0b8e5-9650-4d5f-9796-316f05fa9a2d" type="organization">
<name>Federal Risk and Authorization Management Program: Program Management Office</name>
<short-name>FedRAMP PMO</short-name>
<link href="https://fedramp.gov" rel="homepage"/>
<link href="#a2381e87-3d04-4108-a30b-b4d2f36d001f" rel="logo"/>
<link href="#985475ee-d4d6-4581-8fdf-d84d3d8caa48" rel="reference"/>
<email-address>info@fedramp.gov</email-address>
<address type="work">
<addr-line>1800 F St. NW</addr-line>
<city>Washington</city>
<state>DC</state>
<postal-code>20006</postal-code>
<country>US</country>
</address>
</party>
<party uuid="ca9ba80e-1342-4bfd-b32a-abac468c24b4" type="organization">
<name>Federal Risk and Authorization Management Program: Joint Authorization Board</name>
<short-name>FedRAMP JAB</short-name>
<link href="#a2381e87-3d04-4108-a30b-b4d2f36d001f" rel="logo"/>
</party>
<responsible-party role-id="prepared-by">
<party-uuid>8cc0b8e5-9650-4d5f-9796-316f05fa9a2d</party-uuid>
</responsible-party>
<responsible-party role-id="fedramp-pmo">
<party-uuid>8cc0b8e5-9650-4d5f-9796-316f05fa9a2d</party-uuid>
</responsible-party>
<responsible-party role-id="fedramp-jab">
<party-uuid>ca9ba80e-1342-4bfd-b32a-abac468c24b4</party-uuid>
</responsible-party>
</metadata>
<import href="#051a77c1-b61d-4995-8275-dacfe688d510">
<include-controls>
<with-id>ac-1</with-id>
<with-id>ac-2</with-id>
<with-id>ac-3</with-id>
<with-id>ac-7</with-id>
<with-id>ac-8</with-id>
<with-id>ac-14</with-id>
<with-id>ac-17</with-id>
<with-id>ac-18</with-id>
<with-id>ac-19</with-id>
<with-id>ac-20</with-id>
<with-id>ac-22</with-id>
<with-id>at-1</with-id>
<with-id>at-2</with-id>
<with-id>at-2.2</with-id>
<with-id>at-3</with-id>
<with-id>at-4</with-id>
<with-id>au-1</with-id>
<with-id>au-2</with-id>
<with-id>au-3</with-id>
<with-id>au-4</with-id>
<with-id>au-5</with-id>
<with-id>au-6</with-id>
<with-id>au-8</with-id>
<with-id>au-9</with-id>
<with-id>au-11</with-id>
<with-id>au-12</with-id>
<with-id>ca-1</with-id>
<with-id>ca-2</with-id>
<with-id>ca-2.1</with-id>
<with-id>ca-3</with-id>
<with-id>ca-5</with-id>
<with-id>ca-6</with-id>
<with-id>ca-7</with-id>
<with-id>ca-7.4</with-id>
<with-id>ca-8</with-id>
<with-id>ca-9</with-id>
<with-id>cm-1</with-id>
<with-id>cm-2</with-id>
<with-id>cm-4</with-id>
<with-id>cm-5</with-id>
<with-id>cm-6</with-id>
<with-id>cm-7</with-id>
<with-id>cm-8</with-id>
<with-id>cm-10</with-id>
<with-id>cm-11</with-id>
<with-id>cp-1</with-id>
<with-id>cp-2</with-id>
<with-id>cp-3</with-id>
<with-id>cp-4</with-id>
<with-id>cp-9</with-id>
<with-id>cp-10</with-id>
<with-id>ia-1</with-id>
<with-id>ia-2</with-id>
<with-id>ia-2.1</with-id>
<with-id>ia-2.2</with-id>
<with-id>ia-2.8</with-id>
<with-id>ia-2.12</with-id>
<with-id>ia-4</with-id>
<with-id>ia-5</with-id>
<with-id>ia-5.1</with-id>
<with-id>ia-6</with-id>
<with-id>ia-7</with-id>
<with-id>ia-8</with-id>
<with-id>ia-8.1</with-id>
<with-id>ia-8.2</with-id>
<with-id>ia-8.4</with-id>
<with-id>ia-11</with-id>
<with-id>ir-1</with-id>
<with-id>ir-2</with-id>
<with-id>ir-4</with-id>
<with-id>ir-5</with-id>
<with-id>ir-6</with-id>
<with-id>ir-7</with-id>
<with-id>ir-8</with-id>
<with-id>ma-1</with-id>
<with-id>ma-2</with-id>
<with-id>ma-4</with-id>
<with-id>ma-5</with-id>
<with-id>mp-1</with-id>
<with-id>mp-2</with-id>
<with-id>mp-6</with-id>
<with-id>mp-7</with-id>
<with-id>pe-1</with-id>
<with-id>pe-2</with-id>
<with-id>pe-3</with-id>
<with-id>pe-6</with-id>
<with-id>pe-8</with-id>
<with-id>pe-12</with-id>
<with-id>pe-13</with-id>
<with-id>pe-14</with-id>
<with-id>pe-15</with-id>
<with-id>pe-16</with-id>
<with-id>pl-1</with-id>
<with-id>pl-2</with-id>
<with-id>pl-4</with-id>
<with-id>pl-4.1</with-id>
<with-id>pl-8</with-id>
<with-id>pl-10</with-id>
<with-id>pl-11</with-id>
<with-id>ps-1</with-id>
<with-id>ps-2</with-id>
<with-id>ps-3</with-id>
<with-id>ps-4</with-id>
<with-id>ps-5</with-id>
<with-id>ps-6</with-id>
<with-id>ps-7</with-id>
<with-id>ps-8</with-id>
<with-id>ps-9</with-id>
<with-id>ra-1</with-id>
<with-id>ra-2</with-id>
<with-id>ra-3</with-id>
<with-id>ra-3.1</with-id>
<with-id>ra-5</with-id>
<with-id>ra-5.2</with-id>
<with-id>ra-5.11</with-id>
<with-id>ra-7</with-id>
<with-id>sa-1</with-id>
<with-id>sa-2</with-id>
<with-id>sa-3</with-id>
<with-id>sa-4</with-id>
<with-id>sa-4.10</with-id>
<with-id>sa-5</with-id>
<with-id>sa-8</with-id>
<with-id>sa-9</with-id>
<with-id>sa-22</with-id>
<with-id>sc-1</with-id>
<with-id>sc-5</with-id>
<with-id>sc-7</with-id>
<with-id>sc-8</with-id>
<with-id>sc-8.1</with-id>
<with-id>sc-12</with-id>
<with-id>sc-13</with-id>
<with-id>sc-15</with-id>
<with-id>sc-20</with-id>
<with-id>sc-21</with-id>
<with-id>sc-22</with-id>
<with-id>sc-28</with-id>
<with-id>sc-28.1</with-id>
<with-id>sc-39</with-id>
<with-id>si-1</with-id>
<with-id>si-2</with-id>
<with-id>si-3</with-id>
<with-id>si-4</with-id>
<with-id>si-5</with-id>
<with-id>si-12</with-id>
<with-id>sr-1</with-id>
<with-id>sr-2</with-id>
<with-id>sr-2.1</with-id>
<with-id>sr-3</with-id>
<with-id>sr-5</with-id>
<with-id>sr-8</with-id>
<with-id>sr-10</with-id>
<with-id>sr-11</with-id>
<with-id>sr-11.1</with-id>
<with-id>sr-11.2</with-id>
<with-id>sr-12</with-id>
</include-controls>
</import>
<merge>
<as-is>true</as-is>
</merge>
<modify>
<!-- Set FedRAMP parameters -->
<set-parameter param-id="ac-01_odp.05">
<constraint>
<description>
<p>at least every 3 years</p>
</description>
</constraint>
</set-parameter>
<set-parameter param-id="ac-01_odp.07">
<constraint>
<description>
<p>at least annually</p>
</description>
</constraint>
</set-parameter>
<set-parameter param-id="ac-01_odp.08">
<constraint>
<description>
<p>significant changes</p>
</description>
</constraint>
</set-parameter>
<set-parameter param-id="ac-02_odp.06">
<constraint>
<description>
<p>twenty-four (24) hours</p>
</description>
</constraint>
</set-parameter>
<set-parameter param-id="ac-02_odp.07">
<constraint>
<description>
<p>eight (8) hours</p>
</description>
</constraint>
</set-parameter>
<set-parameter param-id="ac-02_odp.08">
<constraint>
<description>
<p>eight (8) hours</p>
</description>
</constraint>
</set-parameter>
<set-parameter param-id="ac-02_odp.10">
<constraint>
<description>
<p>at least annually</p>
</description>
</constraint>
</set-parameter>
<set-parameter param-id="ac-08_odp.01">
<constraint>
<description>
<p>see additional Requirements and Guidance</p>
</description>
</constraint>
</set-parameter>
<set-parameter param-id="ac-08_odp.02">
<constraint>
<description>
<p>see additional Requirements and Guidance</p>
</description>
</constraint>
</set-parameter>
<set-parameter param-id="ac-22_odp">
<constraint>
<description>
<p>at least quarterly</p>
</description>
</constraint>
</set-parameter>
<set-parameter param-id="at-01_odp.05">
<constraint>
<description>
<p>at least every 3 years</p>
</description>
</constraint>
</set-parameter>
<set-parameter param-id="at-01_odp.07">
<constraint>
<description>
<p>at least annually</p>
</description>
</constraint>
</set-parameter>
<set-parameter param-id="at-01_odp.08">
<constraint>
<description>
<p>significant changes</p>
</description>
</constraint>
</set-parameter>
<set-parameter param-id="at-2_prm_1">
<constraint>
<description>
<p>at least annually</p>
</description>
</constraint>
</set-parameter>
<set-parameter param-id="at-02_odp.06">
<constraint>
<description>
<p>at least annually</p>
</description>
</constraint>
</set-parameter>
<set-parameter param-id="at-03_odp.03">
<constraint>
<description>
<p>at least annually</p>
</description>
</constraint>
</set-parameter>
<set-parameter param-id="at-03_odp.04">
<constraint>
<description>
<p>at least annually</p>
</description>
</constraint>
</set-parameter>
<set-parameter param-id="at-04_odp">
<constraint>
<description>
<p>at least one (1) year or 1 year after completion of a specific training program</p>
</description>
</constraint>
</set-parameter>
<set-parameter param-id="au-01_odp.05">
<constraint>
<description>
<p>at least every 3 years</p>
</description>
</constraint>
</set-parameter>
<set-parameter param-id="au-01_odp.07">
<constraint>
<description>
<p>at least annually</p>
</description>
</constraint>
</set-parameter>
<set-parameter param-id="au-01_odp.08">
<constraint>
<description>
<p>significant changes</p>
</description>
</constraint>
</set-parameter>
<set-parameter param-id="au-02_odp.01">
<constraint>
<description>
<p>successful and unsuccessful account logon events, account management events, object access, policy change, privilege functions, process tracking, and system events. For Web applications: all administrator activity, authentication checks, authorization checks, data deletions, data access, data changes, and permission changes</p>
</description>
</constraint>
</set-parameter>
<set-parameter param-id="au-2_prm_2">
<constraint>
<description>
<p>organization-defined subset of the auditable events defined in AU-2a to be audited continually for each identified event.</p>
</description>
</constraint>
</set-parameter>
<set-parameter param-id="au-02_odp.04">
<constraint>
<description>
<p>annually and whenever there is a change in the threat environment</p>
</description>
</constraint>
</set-parameter>
<set-parameter param-id="au-05_odp.03">
<constraint>
<description>
<p>overwrite oldest record</p>
</description>
</constraint>
</set-parameter>
<set-parameter param-id="au-06_odp.01">
<constraint>
<description>
<p>at least weekly</p>
</description>
</constraint>
</set-parameter>
<set-parameter param-id="au-08_odp">
<constraint>
<description>
<p>one second granularity of time measurement</p>
</description>
</constraint>
</set-parameter>
<set-parameter param-id="au-11_odp">
<constraint>
<description>
<p>a time period in compliance with M-21-31</p>
</description>
</constraint>
</set-parameter>
<set-parameter param-id="au-12_odp.01">
<constraint>
<description>
<p>all information system and network components where audit capability is deployed/available</p>
</description>
</constraint>
</set-parameter>
<set-parameter param-id="ca-01_odp.05">
<constraint>
<description>
<p>at least every 3 years</p>
</description>
</constraint>
</set-parameter>
<set-parameter param-id="ca-01_odp.07">
<constraint>
<description>
<p>at least annually</p>
</description>
</constraint>
</set-parameter>
<set-parameter param-id="ca-01_odp.08">
<constraint>
<description>
<p>significant changes</p>
</description>
</constraint>
</set-parameter>
<set-parameter param-id="ca-02_odp.01">
<constraint>
<description>
<p>at least annually</p>
</description>
</constraint>
</set-parameter>
<set-parameter param-id="ca-02_odp.02">
<constraint>
<description>
<p>individuals or roles to include FedRAMP PMO</p>
</description>
</constraint>
</set-parameter>
<set-parameter param-id="ca-03_odp.03">
<constraint>
<description>
<p>at least annually and on input from JAB/AO</p>
</description>
</constraint>
</set-parameter>
<set-parameter param-id="ca-05_odp">
<constraint>
<description>
<p>at least monthly</p>
</description>
</constraint>
</set-parameter>
<set-parameter param-id="ca-06_odp">
<constraint>
<description>
<p>in accordance with OMB A-130 requirements or when a significant change occurs</p>
</description>
</constraint>
</set-parameter>
<set-parameter param-id="ca-7_prm_4">
<constraint>
<description>
<p>to include JAB/AO</p>
</description>
</constraint>
</set-parameter>
<set-parameter param-id="ca-08_odp.01">
<constraint>
<description>
<p>at least annually</p>
</description>
</constraint>
</set-parameter>
<set-parameter param-id="cm-01_odp.05">
<constraint>
<description>
<p>at least every 3 years</p>
</description>
</constraint>
</set-parameter>
<set-parameter param-id="cm-01_odp.07">
<constraint>
<description>
<p>at least annually</p>
</description>
</constraint>
</set-parameter>
<set-parameter param-id="cm-01_odp.08">
<constraint>
<description>
<p>significant changes</p>
</description>
</constraint>
</set-parameter>
<set-parameter param-id="cm-02_odp.01">
<constraint>
<description>
<p>at least annually and when a significant change occurs</p>
</description>
</constraint>
</set-parameter>
<set-parameter param-id="cm-02_odp.02">
<constraint>
<description>
<p>to include when directed by the JAB</p>
</description>
</constraint>
</set-parameter>
<set-parameter param-id="cm-08_odp.02">
<constraint>
<description>
<p>at least monthly</p>
</description>
</constraint>
</set-parameter>
<set-parameter param-id="cm-11_odp.03">
<constraint>
<description>
<p>Continuously (via CM-7 (5))</p>
</description>
</constraint>
</set-parameter>
<set-parameter param-id="cp-01_odp.05">
<constraint>
<description>
<p>at least every 3 years</p>
</description>
</constraint>
</set-parameter>
<set-parameter param-id="cp-01_odp.07">
<constraint>
<description>
<p>at least annually</p>
</description>
</constraint>
</set-parameter>
<set-parameter param-id="cp-01_odp.08">
<constraint>
<description>
<p>significant changes</p>
</description>
</constraint>
</set-parameter>
<set-parameter param-id="cp-02_odp.05">
<constraint>
<description>
<p>at least annually</p>
</description>
</constraint>
</set-parameter>
<set-parameter param-id="cp-03_odp.01">
<constraint>
<description>
<p>*See Additional Requirements</p>
</description>
</constraint>
</set-parameter>
<set-parameter param-id="cp-03_odp.02">
<constraint>
<description>
<p>at least annually</p>
</description>
</constraint>
</set-parameter>
<set-parameter param-id="cp-03_odp.03">
<constraint>
<description>
<p>at least annually</p>
</description>
</constraint>
</set-parameter>
<set-parameter param-id="cp-04_odp.01">
<constraint>
<description>
<p>at least every 3 years</p>
</description>
</constraint>
</set-parameter>
<set-parameter param-id="cp-4_prm_2">
<constraint>
<description>
<p>classroom exercise/table top written tests</p>
</description>
</constraint>
</set-parameter>
<set-parameter param-id="cp-09_odp.02">
<constraint>
<description>
<p>daily incremental; weekly full</p>
</description>
</constraint>
</set-parameter>
<set-parameter param-id="cp-09_odp.03">
<constraint>
<description>
<p>daily incremental; weekly full</p>
</description>
</constraint>
</set-parameter>
<set-parameter param-id="cp-09_odp.04">
<constraint>
<description>
<p>daily incremental; weekly full</p>
</description>
</constraint>
</set-parameter>
<set-parameter param-id="ia-01_odp.05">
<constraint>
<description>
<p>at least every 3 years</p>
</description>
</constraint>
</set-parameter>
<set-parameter param-id="ia-01_odp.07">
<constraint>
<description>
<p>at least annually</p>
</description>
</constraint>
</set-parameter>
<set-parameter param-id="ia-01_odp.08">
<constraint>
<description>
<p>significant changes</p>
</description>
</constraint>
</set-parameter>
<set-parameter param-id="ia-04_odp.01">
<constraint>
<description>
<p>at a minimum, the ISSO (or similar role within the organization)</p>
</description>
</constraint>
</set-parameter>
<set-parameter param-id="ia-04_odp.02">
<constraint>
<description>
<p>at least two (2) years</p>
</description>
</constraint>
</set-parameter>
<set-parameter param-id="ir-01_odp.05">
<constraint>
<description>
<p>at least every 3 years</p>
</description>
</constraint>
</set-parameter>
<set-parameter param-id="ir-01_odp.07">
<constraint>
<description>
<p>at least annually</p>
</description>
</constraint>
</set-parameter>
<set-parameter param-id="ir-01_odp.08">
<constraint>
<description>
<p>significant changes</p>
</description>
</constraint>
</set-parameter>
<set-parameter param-id="ir-02_odp.01">
<constraint>
<description>
<p>ten (10) days for privileged users, thirty (30) days for Incident Response roles</p>
</description>
</constraint>
</set-parameter>
<set-parameter param-id="ir-02_odp.02">
<constraint>
<description>
<p>at least annually</p>
</description>
</constraint>
</set-parameter>
<set-parameter param-id="ir-02_odp.03">
<constraint>
<description>
<p>at least annually</p>
</description>
</constraint>
</set-parameter>
<set-parameter param-id="ir-06_odp.01">
<constraint>
<description>
<p>US-CERT incident reporting timelines as specified in NIST Special Publication 800-61 (as amended)</p>
</description>
</constraint>
</set-parameter>
<set-parameter param-id="ir-08_odp.02">
<constraint>
<description>
<p>at least annually</p>
</description>
</constraint>
</set-parameter>
<set-parameter param-id="ir-08_odp.04">
<constraint>
<description>
<p>see additional FedRAMP Requirements and Guidance</p>
</description>
</constraint>
</set-parameter>
<set-parameter param-id="ir-8_prm_5">
<constraint>
<description>
<p>see additional FedRAMP Requirements and Guidance</p>
</description>
</constraint>
</set-parameter>
<set-parameter param-id="ma-01_odp.05">
<constraint>
<description>
<p>at least every 3 years</p>
</description>
</constraint>
</set-parameter>
<set-parameter param-id="ma-01_odp.07">
<constraint>
<description>
<p>at least annually</p>
</description>
</constraint>
</set-parameter>
<set-parameter param-id="ma-01_odp.08">
<constraint>
<description>
<p>significant changes</p>
</description>
</constraint>
</set-parameter>
<set-parameter param-id="mp-01_odp.05">
<constraint>
<description>
<p>at least every 3 years</p>
</description>
</constraint>
</set-parameter>
<set-parameter param-id="mp-01_odp.07">
<constraint>
<description>
<p>at least annually</p>
</description>
</constraint>
</set-parameter>
<set-parameter param-id="mp-01_odp.08">
<constraint>
<description>
<p>significant changes</p>
</description>
</constraint>
</set-parameter>
<set-parameter param-id="mp-6_prm_1">
<constraint>
<description>
<p>techniques and procedures IAW NIST SP 800-88 Section 4: Reuse and Disposal of Storage Media and Hardware</p>
</description>
</constraint>
</set-parameter>
<set-parameter param-id="pe-01_odp.05">
<constraint>
<description>
<p>at least every 3 years</p>
</description>
</constraint>
</set-parameter>
<set-parameter param-id="pe-01_odp.07">
<constraint>
<description>
<p>at least annually</p>
</description>
</constraint>
</set-parameter>
<set-parameter param-id="pe-01_odp.08">
<constraint>
<description>
<p>significant changes</p>
</description>
</constraint>
</set-parameter>
<set-parameter param-id="pe-02_odp">
<constraint>
<description>
<p>at least annually</p>
</description>
</constraint>
</set-parameter>
<set-parameter param-id="pe-03_odp.02">
<constraint>
<description>
<p>CSP defined physical access control systems/devices AND guards</p>
</description>
</constraint>
</set-parameter>
<set-parameter param-id="pe-03_odp.06">
<constraint>
<description>
<p>in all circumstances within restricted access area where the information system resides</p>
</description>
</constraint>
</set-parameter>
<set-parameter param-id="pe-03_odp.07">
<constraint>
<description>
<p>at least annually</p>
</description>
</constraint>
</set-parameter>
<set-parameter param-id="pe-3_prm_9">
<constraint>
<description>
<p>at least annually</p>
</description>
</constraint>
</set-parameter>
<set-parameter param-id="pe-06_odp.01">
<constraint>
<description>
<p>at least monthly</p>
</description>
</constraint>
</set-parameter>
<set-parameter param-id="pe-08_odp.01">
<constraint>
<description>
<p>for a minimum of one (1) year</p>
</description>
</constraint>
</set-parameter>
<set-parameter param-id="pe-08_odp.02">
<constraint>
<description>
<p>at least monthly</p>
</description>
</constraint>
</set-parameter>
<set-parameter param-id="pe-14_odp.01">
<constraint>
<description>
<p>consistent with American Society of Heating, Refrigerating and Air-conditioning Engineers (ASHRAE) document entitled Thermal Guidelines for Data Processing Environments</p>
</description>
</constraint>
</set-parameter>
<set-parameter param-id="pe-14_odp.04">
<constraint>
<description>
<p>continuously</p>
</description>
</constraint>
</set-parameter>
<set-parameter param-id="pe-16_prm_1">
<constraint>
<description>
<p>all information system components</p>
</description>
</constraint>
</set-parameter>
<set-parameter param-id="pl-01_odp.05">
<constraint>
<description>
<p>at least every 3 years</p>
</description>
</constraint>
</set-parameter>
<set-parameter param-id="pl-01_odp.07">
<constraint>
<description>
<p>at least annually</p>
</description>
</constraint>
</set-parameter>
<set-parameter param-id="pl-01_odp.08">
<constraint>
<description>
<p>significant changes</p>
</description>
</constraint>
</set-parameter>
<set-parameter param-id="pl-02_odp.03">
<constraint>
<description>
<p>at least annually</p>
</description>
</constraint>
</set-parameter>
<set-parameter param-id="pl-04_odp.01">
<constraint>
<description>
<p>at least every 3 years</p>
</description>
</constraint>
</set-parameter>
<set-parameter param-id="pl-04_odp.02">
<constraint>
<description>
<p>at least annually and when the rules are revised or changed</p>
</description>
</constraint>
</set-parameter>
<set-parameter param-id="pl-08_odp">
<constraint>
<description>
<p>at least annually and when a significant change occurs</p>
</description>
</constraint>
</set-parameter>
<set-parameter param-id="ps-01_odp.05">
<constraint>
<description>
<p>at least every 3 years</p>
</description>
</constraint>
</set-parameter>
<set-parameter param-id="ps-01_odp.07">
<constraint>
<description>
<p>at least annually</p>
</description>
</constraint>
</set-parameter>
<set-parameter param-id="ps-01_odp.08">
<constraint>
<description>
<p>significant changes</p>
</description>
</constraint>
</set-parameter>
<set-parameter param-id="ps-02_odp">
<constraint>
<description>
<p>at least every three years</p>
</description>
</constraint>
</set-parameter>
<set-parameter param-id="ps-3_prm_1">
<constraint>
<description>
<p>for national security clearances; a reinvestigation is required during the fifth (5th) year for top secret security clearance, the tenth (10th) year for secret security clearance, and fifteenth (15th) year for confidential security clearance.</p>
<p>For moderate risk law enforcement and high impact public trust level, a reinvestigation is required during the fifth (5th) year. There is no reinvestigation for other moderate risk positions or any low risk positions</p>
</description>
</constraint>
</set-parameter>
<set-parameter param-id="ps-04_odp.01">
<constraint>
<description>
<p>four (4) hours</p>
</description>
</constraint>
</set-parameter>
<set-parameter param-id="ps-05_odp.02">
<constraint>
<description>
<p>twenty-four (24) hours</p>
</description>
</constraint>
</set-parameter>
<set-parameter param-id="ps-05_odp.04">
<constraint>
<description>
<p>twenty-four (24) hours</p>
</description>
</constraint>
</set-parameter>
<set-parameter param-id="ps-06_odp.01">
<constraint>
<description>
<p>at least annually</p>
</description>
</constraint>
</set-parameter>
<set-parameter param-id="ps-06_odp.02">
<constraint>
<description>
<p>at least annually and any time there is a change to the user's level of access</p>
</description>
</constraint>
</set-parameter>
<set-parameter param-id="ps-07_odp.01">
<constraint>
<description>
<p>including access control personnel responsible for the system and/or facilities, as appropriate</p>
</description>
</constraint>
</set-parameter>
<set-parameter param-id="ps-07_odp.02">
<constraint>
<description>
<p>within twenty-four (24) hours</p>
</description>
</constraint>
</set-parameter>
<set-parameter param-id="ps-08_odp.01">
<constraint>
<description>
<p>at a minimum, the ISSO and/or similar role within the organization</p>
</description>
</constraint>
</set-parameter>
<set-parameter param-id="ra-01_odp.05">
<constraint>
<description>
<p>at least every 3 years</p>
</description>
</constraint>
</set-parameter>
<set-parameter param-id="ra-01_odp.07">
<constraint>
<description>
<p>at least annually</p>
</description>
</constraint>
</set-parameter>
<set-parameter param-id="ra-01_odp.08">
<constraint>
<description>
<p>significant changes</p>
</description>
</constraint>
</set-parameter>
<set-parameter param-id="ra-03_odp.01">
<constraint>
<description>
<p>security assessment report</p>
</description>
</constraint>
</set-parameter>
<set-parameter param-id="ra-03_odp.03">
<constraint>
<description>
<p>at least every three (3) years and when a significant change occurs</p>
</description>
</constraint>
</set-parameter>
<set-parameter param-id="ra-03_odp.05">
<constraint>
<description>
<p>at least every three (3) years</p>
</description>
</constraint>
</set-parameter>
<set-parameter param-id="ra-5_prm_1">
<constraint>
<description>
<p>monthly operating system/infrastructure; monthly web applications (including APIs) and databases</p>
</description>
</constraint>
</set-parameter>
<set-parameter param-id="ra-05_odp.03">
<constraint>
<description>
<p>high-risk vulnerabilities mitigated within thirty (30) days from date of discovery; moderate-risk vulnerabilities mitigated within ninety (90) days from date of discovery; low risk vulnerabilities mitigated within one hundred and eighty (180) days from date of discovery</p>
</description>
</constraint>
</set-parameter>
<set-parameter param-id="ra-05.02_odp.01">
<constraint>
<description>
<p>prior to a new scan</p>
</description>
</constraint>
</set-parameter>
<set-parameter param-id="sa-01_odp.05">
<constraint>
<description>
<p>at least every 3 years</p>
</description>
</constraint>
</set-parameter>
<set-parameter param-id="sa-01_odp.07">
<constraint>
<description>
<p>at least annually</p>
</description>
</constraint>
</set-parameter>
<set-parameter param-id="sa-01_odp.08">
<constraint>
<description>
<p>significant changes</p>
</description>
</constraint>
</set-parameter>
<set-parameter param-id="sa-05_odp.02">
<constraint>
<description>
<p>at a minimum, the ISSO (or similar role within the organization)</p>
</description>
</constraint>
</set-parameter>
<set-parameter param-id="sa-09_odp.01">
<constraint>
<description>
<p>Appropriate FedRAMP Security Controls Baseline (s) if Federal information is processed or stored within the external system</p>
</description>
</constraint>
</set-parameter>
<set-parameter param-id="sa-09_odp.02">
<constraint>
<description>
<p>Federal/FedRAMP Continuous Monitoring requirements must be met for external systems where Federal information is processed or stored</p>
</description>
</constraint>
</set-parameter>
<set-parameter param-id="sc-01_odp.05">
<constraint>
<description>
<p>at least every 3 years</p>
</description>
</constraint>
</set-parameter>
<set-parameter param-id="sc-01_odp.07">
<constraint>
<description>
<p>at least annually</p>
</description>
</constraint>
</set-parameter>
<set-parameter param-id="sc-01_odp.08">
<constraint>
<description>
<p>significant changes</p>
</description>
</constraint>
</set-parameter>
<set-parameter param-id="sc-05_odp.02">
<constraint>
<description>
<p>Protect against</p>
</description>
</constraint>
</set-parameter>
<set-parameter param-id="sc-05_odp.01">
<constraint>
<description>
<p>at a minimum: ICMP (ping) flood, SYN flood, slowloris, buffer overflow attack, and volume attack</p>
</description>
</constraint>
</set-parameter>
<set-parameter param-id="sc-12_odp">
<constraint>
<description>
<p>In accordance with Federal requirements</p>
</description>
</constraint>
</set-parameter>
<set-parameter param-id="sc-13_odp.02">
<constraint>
<description>
<p>FIPS-validated or NSA-approved cryptography</p>
</description>
</constraint>
</set-parameter>
<set-parameter param-id="sc-15_odp">
<constraint>
<description>
<p>no exceptions for computing devices</p>
</description>
</constraint>
</set-parameter>
<set-parameter param-id="sc-28.01_odp.02">
<constraint>
<description>
<p>all information system components storing Federal data or system data that must be protected at the High or Moderate impact levels</p>
</description>
</constraint>
</set-parameter>
<set-parameter param-id="si-01_odp.05">
<constraint>
<description>
<p>at least every 3 years</p>
</description>
</constraint>
</set-parameter>
<set-parameter param-id="si-01_odp.07">
<constraint>
<description>
<p>at least annually</p>
</description>
</constraint>
</set-parameter>
<set-parameter param-id="si-01_odp.08">
<constraint>
<description>
<p>significant changes</p>
</description>
</constraint>
</set-parameter>
<set-parameter param-id="si-02_odp">
<constraint>
<description>
<p>within thirty (30) days of release of updates</p>
</description>
</constraint>
</set-parameter>
<set-parameter param-id="si-03_odp.01">
<constraint>
<description>
<p>signature based and non-signature based</p>
</description>
</constraint>
</set-parameter>
<set-parameter param-id="si-03_odp.02">
<constraint>
<description>
<p>at least weekly</p>
</description>
</constraint>
</set-parameter>
<set-parameter param-id="si-03_odp.03">
<constraint>
<description>
<p>to include endpoints and network entry and exit points</p>
</description>
</constraint>
</set-parameter>
<set-parameter param-id="si-03_odp.04">
<constraint>
<description>
<p>to include blocking and quarantining malicious code</p>
</description>
</constraint>
</set-parameter>
<set-parameter param-id="si-03_odp.06">
<constraint>
<description>
<p>administrator or defined security personnel near-realtime</p>
</description>
</constraint>
</set-parameter>
<set-parameter param-id="si-05_odp.01">
<constraint>
<description>
<p>to include US-CERT and Cybersecurity and Infrastructure Security Agency (CISA) Directives</p>
</description>
</constraint>
</set-parameter>
<set-parameter param-id="si-05_odp.02">
<constraint>
<description>
<p>to include system security personnel and administrators with configuration/patch-management responsibilities</p>
</description>
</constraint>
</set-parameter>
<set-parameter param-id="sr-01_odp.01">
<constraint>
<description>
<p>to include chief privacy and ISSO and/or similar role or designees</p>
</description>
</constraint>
</set-parameter>
<set-parameter param-id="sr-01_odp.05">
<constraint>
<description>
<p>at least every 3 years</p>
</description>
</constraint>
</set-parameter>
<set-parameter param-id="sr-01_odp.07">
<constraint>
<description>
<p>at least annually</p>
</description>
</constraint>
</set-parameter>
<set-parameter param-id="sr-01_odp.08">
<constraint>
<description>
<p>significant changes</p>
</description>
</constraint>
</set-parameter>
<set-parameter param-id="sr-02_odp.02">
<constraint>
<description>
<p>at least annually</p>
</description>
</constraint>
</set-parameter>
<set-parameter param-id="sr-08_odp.01">
<constraint>
<description>
<p>notification of supply chain compromises and results of assessment or audits</p>
</description>
</constraint>
</set-parameter>
<set-parameter param-id="sr-11.02_odp">
<constraint>
<description>
<p>all</p>
</description>
</constraint>
</set-parameter>
<!-- - - CONTROL MODIFICATIONS - - -->
<!-- - - AC-1 - - -->
<alter control-id="ac-1">
<remove by-name="assessment-objective"/>
<remove by-name="assessment-method"/>
<add position="ending">
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="ATTEST"/>
</add>
</alter>
<!-- - - AC-2 - - -->
<alter control-id="ac-2">
<remove by-id="ac-2_smt.b"/>
<remove by-id="ac-2_smt.c"/>
<remove by-id="ac-2_smt.d"/>
<remove by-id="ac-2_smt.e"/>
<remove by-id="ac-2_smt.i"/>
<remove by-id="ac-2_smt.j"/>
<remove by-id="ac-2_smt.k"/>
<remove by-id="ac-2_smt.l"/>
<remove by-name="assessment-objective"/>
<remove by-name="assessment-method"/>
<add by-id="ac-2_smt" position="starting">
<prop ns="https://fedramp.gov/ns/oscal" name="response-point" value="Required"/>
</add>
<add position="ending">
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="ASSESS"/>
<part id="ac-2_obj_fr" name="assessment-objective">
<prop ns="https://fedramp.gov/ns/oscal" name="response-point" value="Required"/>
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="fedramp" value="EXAMINE"/>
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="fedramp" value="INTERVIEW"/>
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="fedramp" value="TEST"/>
<p>Determine if the organization defines information system account types to be identified and selected to support organizational missions/business functions.</p>
</part>
<part id="ac-2_asmt_fr.1" name="assessment-method">
<prop ns="https://fedramp.gov/ns/oscal" name="method" value="EXAMINE"/>
<part name="assessment-objects">
<p>Access control policy; procedures addressing account management; security plan; information system design documentation; information system configuration settings and associated documentation; list of active system accounts along with the name of the individual associated with each account; list of conditions for group and role membership; notifications or records of recently transferred, separated, or terminated employees; list of recently disabled information system accounts along with the name of the individual associated with each account; access authorization records; account management compliance reviews; information system monitoring records; information system audit records; other relevant documents or records.</p>
</part>
</part>
<part id="ac-2_asmt_fr.2" name="assessment-method">
<prop ns="https://fedramp.gov/ns/oscal" name="method" value="INTERVIEW"/>
<part name="assessment-objects">
<p>Organizational personnel with account management responsibilities; system/network administrators; organizational personnel with information security responsibilities.</p>
</part>
</part>
<part id="ac-2_asmt_fr.3" name="assessment-method">
<prop ns="https://fedramp.gov/ns/oscal" name="method" value="TEST"/>
<part name="assessment-objects">
<p>Organizational processes for account management on the information system; automated mechanisms for implementing account management.</p>
</part>
</part>
</add>
</alter>
<!-- - - AC-3 - - -->
<alter control-id="ac-3">
<add by-id="ac-3_smt" position="starting">
<prop ns="https://fedramp.gov/ns/oscal" name="response-point" value="Required"/>
</add>
<add position="ending">
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="ASSESS"/>
</add>
</alter>
<!-- - - AC-7 - - -->
<alter control-id="ac-7">
<add by-id="ac-7_smt" position="starting">
<prop ns="https://fedramp.gov/ns/oscal" name="response-point" value="Required"/>
</add>
<add position="ending">
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="NSO"/>
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="ASSESS"/>
<part name="guidance" class="FedRAMP-Tailored-LI-SaaS">
<p>NSO for non-privileged users. Attestation for privileged users related to multi-factor identification and authentication.</p>
</part>
</add>
</alter>
<!-- - - AC-8 - - -->
<alter control-id="ac-8">
<remove by-name="assessment-objective"/>
<remove by-name="assessment-method"/>
<add position="ending">
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="FED"/>
<part name="guidance" class="FedRAMP-Tailored-LI-SaaS">
<p>FED - This is related to agency data and agency policy solution.</p>
</part>
</add>
</alter>
<!-- - - AC-14 - - -->
<alter control-id="ac-14">
<remove by-name="assessment-objective"/>
<remove by-name="assessment-method"/>
<add position="ending">
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="FED"/>
<part name="guidance" class="FedRAMP-Tailored-LI-SaaS">
<p>FED - This is related to agency data and agency policy solution.</p>
</part>
</add>
</alter>
<!-- - - AC-17 - - -->
<alter control-id="ac-17">
<add by-id="ac-17_smt" position="starting">
<prop ns="https://fedramp.gov/ns/oscal" name="response-point" value="Required"/>
</add>
<add position="ending">
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="ASSESS"/>
</add>
</alter>
<!-- - - AC-18 - - -->
<alter control-id="ac-18">
<remove by-name="assessment-objective"/>
<remove by-name="assessment-method"/>
<add position="ending">
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="NSO"/>
<part name="guidance" class="FedRAMP-Tailored-LI-SaaS">
<p>NSO - All access to Cloud SaaS are via web services and/or API. The device accessed from or whether via wired or wireless connection is out of scope. Regardless of device accessed from, must utilize approved remote access methods (AC-17), secure communication with strong encryption (SC-13), key management (SC-12), and multi-factor authentication for privileged access (IA-2[1]).</p>
</part>
</add>
</alter>
<!-- - - AC-19 - - -->
<alter control-id="ac-19">
<remove by-name="assessment-objective"/>
<remove by-name="assessment-method"/>
<add position="ending">
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="NSO"/>
<part name="guidance" class="FedRAMP-Tailored-LI-SaaS">
<p>NSO - All access to Cloud SaaS are via web service and/or API. The device accessed from is out of the scope. Regardless of device accessed from, must utilize approved remote access methods (AC-17), secure communication with strong encryption (SC-13), key management (SC-12), and multi-factor authentication for privileged access (IA-2 [1]).</p>
</part>
</add>
</alter>
<!-- - - AC-20 - - -->
<alter control-id="ac-20">
<remove by-name="assessment-objective"/>
<remove by-name="assessment-method"/>
<add position="ending">
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="ATTEST"/>
</add>
</alter>
<!-- - - AC-22 - - -->
<alter control-id="ac-22">
<add by-id="ac-22_smt" position="starting">
<prop ns="https://fedramp.gov/ns/oscal" name="response-point" value="Required"/>
</add>
<add position="ending">
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="ASSESS"/>
</add>
</alter>
<!-- - - AT-1 - - -->
<alter control-id="at-1">
<remove by-name="assessment-objective"/>
<remove by-name="assessment-method"/>
<add position="ending">
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="ATTEST"/>
</add>
</alter>
<!-- - - AT-2 - - -->
<alter control-id="at-2">
<remove by-name="assessment-objective"/>
<remove by-name="assessment-method"/>
<add position="ending">
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="ATTEST"/>
</add>
</alter>
<!-- - - AT-2(2) - -->
<alter control-id="at-2.2">
<remove by-name="assessment-objective"/>
<remove by-name="assessment-method"/>
<add position="ending">
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="ATTEST"/>
</add>
</alter>
<!-- - - AT-3 - - -->
<alter control-id="at-3">
<remove by-name="assessment-objective"/>
<remove by-name="assessment-method"/>
<add position="ending">
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="ATTEST"/>
</add>
</alter>
<!-- - - AT-4 - - -->
<alter control-id="at-4">
<remove by-name="assessment-objective"/>
<remove by-name="assessment-method"/>
<add position="ending">
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="ATTEST"/>
</add>
</alter>
<!-- - - AU-1 - - -->
<alter control-id="au-1">
<remove by-name="assessment-objective"/>
<remove by-name="assessment-method"/>
<add position="ending">
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="ATTEST"/>
</add>
</alter>
<!-- - - AU-2 - - -->
<alter control-id="au-2">
<remove by-name="assessment-objective"/>
<remove by-name="assessment-method"/>
<add position="ending">
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="ATTEST"/>
</add>
</alter>
<!-- - - AU-3 - - -->
<alter control-id="au-3">
<add by-id="au-3_smt" position="starting">
<prop ns="https://fedramp.gov/ns/oscal" name="response-point" value="Required"/>
</add>
<add position="ending">
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="ASSESS"/>
</add>
</alter>
<!-- - - AU-4 - - -->
<alter control-id="au-4">
<remove by-name="assessment-objective"/>
<remove by-name="assessment-method"/>
<add position="ending">
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="NSO"/>
<part name="guidance" class="FedRAMP-Tailored-LI-SaaS">
<p>NSO - Loss of availability of the audit data has been determined to have little or no impact to government business/mission needs.</p>
</part>
</add>
</alter>
<!-- - - AU-5 - - -->
<alter control-id="au-5">
<add by-id="au-5_smt" position="starting">
<prop ns="https://fedramp.gov/ns/oscal" name="response-point" value="Required"/>
</add>
<add position="ending">
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="ASSESS"/>
</add>
</alter>
<!-- - - AU-6 - - -->
<alter control-id="au-6">
<add by-id="au-6_smt" position="starting">
<prop ns="https://fedramp.gov/ns/oscal" name="response-point" value="Required"/>
</add>
<add position="ending">
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="ASSESS"/>
</add>
</alter>
<!-- - - AU-8 - - -->
<alter control-id="au-8">
<remove by-name="assessment-objective"/>
<remove by-name="assessment-method"/>
<add position="ending">
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="ATTEST"/>
</add>
</alter>
<!-- - - AU-9 - - -->
<alter control-id="au-9">
<remove by-name="assessment-objective"/>
<remove by-name="assessment-method"/>
<add position="ending">
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="ATTEST"/>
</add>
</alter>
<!-- - - AU-11 - - -->
<alter control-id="au-11">
<remove by-name="assessment-objective"/>
<remove by-name="assessment-method"/>
<add position="ending">
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="NSO"/>
<part name="guidance" class="FedRAMP-Tailored-LI-SaaS">
<p>NSO - Loss of availability of the audit data has been determined as little or no impact to government business/mission needs.</p>
</part>
</add>
</alter>
<!-- - - AU-12 - - -->
<alter control-id="au-12">
<remove by-name="assessment-objective"/>
<remove by-name="assessment-method"/>
<add position="ending">
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="ATTEST"/>
</add>
</alter>
<!-- - - CA-1 - - -->
<alter control-id="ca-1">
<remove by-name="assessment-objective"/>
<remove by-name="assessment-method"/>
<add position="ending">
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="ATTEST"/>
</add>
</alter>
<!-- - - CA-2 - - -->
<alter control-id="ca-2">
<add by-id="ca-2_smt" position="starting">
<prop ns="https://fedramp.gov/ns/oscal" name="response-point" value="Required"/>
</add>
<add position="ending">
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="ASSESS"/>
</add>
</alter>
<!-- - - CA-2 (1) - - -->
<alter control-id="ca-2.1">
<remove by-name="assessment-objective"/>
<remove by-name="assessment-method"/>
<add position="ending">
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="ATTEST"/>
</add>
</alter>
<!-- - - CA-3 - - -->
<alter control-id="ca-3">
<add by-id="ca-3_smt" position="starting">
<prop ns="https://fedramp.gov/ns/oscal" name="response-point" value="Required"/>
</add>
<add position="ending">
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="ASSESS"/>
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="CONDITIONAL"/>
<part name="guidance" class="FedRAMP-Tailored-LI-SaaS">
<p>Condition: There are connection(s) to external systems. Connections (if any) shall be authorized and must: 1) Identify the interface/connection. 2) Detail what data is involved and its sensitivity. 3) Determine whether the connection is one-way or bi-directional. 4) Identify how the connection is secured.</p>
</part>
</add>
</alter>
<!-- - - CA-5 - - -->
<alter control-id="ca-5">
<remove by-name="assessment-objective"/>
<remove by-name="assessment-method"/>
<add position="ending">
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="ATTEST"/>
<part name="guidance" class="FedRAMP-Tailored-LI-SaaS">
<p>Attestation - for compliance with FedRAMP Tailored LI-SaaS Continuous Monitoring Requirements.</p>
</part>
</add>
</alter>
<!-- - - CA-6 - - -->
<alter control-id="ca-6">
<add by-id="ca-6_smt" position="starting">
<prop ns="https://fedramp.gov/ns/oscal" name="response-point" value="Required"/>
</add>
<add position="ending">
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="ASSESS"/>
</add>
</alter>
<!-- - - CA-7 - - -->
<alter control-id="ca-7">
<add by-id="ca-7_smt" position="starting">
<prop ns="https://fedramp.gov/ns/oscal" name="response-point" value="Required"/>
</add>
<add position="ending">
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="ASSESS"/>
</add>
</alter>
<!-- - - CA-7(4) - -->
<alter control-id="ca-7.4">
<add by-id="ca-7.4_smt" position="starting">
<prop ns="https://fedramp.gov/ns/oscal" name="response-point" value="Required"/>
</add>
<add position="ending">
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="ASSESS"/>
</add>
</alter>
<!-- - - CA-8 - -->
<alter control-id="ca-8">
<add by-id="ca-8_smt" position="starting">
<prop ns="https://fedramp.gov/ns/oscal" name="response-point" value="Required"/>
</add>
<add position="ending">
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="ASSESS"/>
</add>
</alter>
<!-- - - CA-9 - - -->
<alter control-id="ca-9">
<add by-id="ca-9_smt" position="starting">
<prop ns="https://fedramp.gov/ns/oscal" name="response-point" value="Required"/>
</add>
<add position="ending">
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="ASSESS"/>
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="CONDITIONAL"/>
<part name="guidance" class="FedRAMP-Tailored-LI-SaaS">
<p>Condition: There are connection(s) to external systems. Connections (if any) shall be authorized and must: 1) Identify the interface/connection. 2) Detail what data is involved and its sensitivity. 3) Determine whether the connection is one-way or bi-directional. 4) Identify how the connection is secured.</p>
</part>
</add>
</alter>
<!-- - - CM-1 - - -->
<alter control-id="cm-1">
<remove by-name="assessment-objective"/>
<remove by-name="assessment-method"/>
<add position="ending">
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="ATTEST"/>
</add>
</alter>
<!-- - - CM-2 - - -->
<alter control-id="cm-2">
<remove by-name="assessment-objective"/>
<remove by-name="assessment-method"/>
<add position="ending">
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="ATTEST"/>
</add>
</alter>
<!-- - - CM-4 - - -->
<alter control-id="cm-4">
<add by-id="cm-4_smt" position="starting">
<prop ns="https://fedramp.gov/ns/oscal" name="response-point" value="Required"/>
</add>
<add position="ending">
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="ASSESS"/>
</add>
</alter>
<!-- - - CM-5 - - -->
<alter control-id="cm-5">
<add by-id="cm-5_smt" position="starting">
<prop ns="https://fedramp.gov/ns/oscal" name="response-point" value="Required"/>
</add>
<add position="ending">
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="ASSESS"/>
</add>
</alter>
<!-- - - CM-6 - - -->
<alter control-id="cm-6">
<add by-id="cm-6_smt" position="starting">
<prop ns="https://fedramp.gov/ns/oscal" name="response-point" value="Required"/>
</add>
<add position="ending">
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="ASSESS"/>
<part name="guidance" class="FedRAMP-Tailored-LI-SaaS">
<p>Required - Specifically include details of least functionality.</p>
</part>
<part id="cm-6_fr" name="item">
<title>CM-6(a) Additional FedRAMP Requirements and Guidance</title>
<part id="cm-6_fr_smt.1" name="item">
<prop name="label" value="Requirement 1:"/>
<p>The service provider shall use the Center for Internet Security guidelines (Level 1) to establish configuration settings or establishes its own configuration settings if USGCB is not available.</p>
</part>
<part id="cm-6_fr_smt.2" name="item">
<prop name="label" value="Requirement 2:"/>
<p>The service provider shall ensure that checklists for configuration settings are Security Content Automation Protocol (SCAP) (<a href="http://scap.nist.gov/">http://scap.nist.gov/</a>) validated or SCAP compatible (if validated checklists are not available).</p>
</part>
<part id="cm-6_fr_gdn.1" name="guidance">
<prop name="label" value="Guidance:"/>
<p>Information on the USGCB checklists can be found at: <a href="https://csrc.nist.gov/Projects/United-States-Government-Configuration-Baseline">https://csrc.nist.gov/Projects/United-States-Government-Configuration-Baseline</a>.</p>
</part>
</part>
</add>
</alter>
<!-- - - CM-7 - - -->
<alter control-id="cm-7">
<remove by-name="assessment-objective"/>
<remove by-name="assessment-method"/>
<add position="ending">
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="ATTEST"/>
</add>
</alter>
<!-- - - CM-8 - - -->
<alter control-id="cm-8">
<add by-id="cm-8_smt" position="starting">
<prop ns="https://fedramp.gov/ns/oscal" name="response-point" value="Required"/>
</add>
<add position="ending">
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="ASSESS"/>
</add>
</alter>
<!-- - - CM-10 - - -->
<alter control-id="cm-10">
<remove by-name="assessment-objective"/>
<remove by-name="assessment-method"/>
<add position="ending">
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="NSO"/>
<part name="guidance" class="FedRAMP-Tailored-LI-SaaS">
<p>NSO- Not directly related to protection of the data.</p>
</part>
</add>
</alter>
<!-- - - CM-11 - - -->
<alter control-id="cm-11">
<remove by-name="assessment-objective"/>
<remove by-name="assessment-method"/>
<add position="ending">
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="NSO"/>
<part name="guidance" class="FedRAMP-Tailored-LI-SaaS">
<p>NSO - Boundary is specific to SaaS environment; all access is via web services; users' machine or internal network are not contemplated. External services (SA-9), internal connection (CA-9), remote access (AC-17), and secure access (SC-12 and SC-13), and privileged authentication (IA-2[1]) are considerations.</p>
</part>
</add>
</alter>
<!-- - - CP-1 - - -->
<alter control-id="cp-1">
<remove by-name="assessment-objective"/>
<remove by-name="assessment-method"/>
<add position="ending">
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="ATTEST"/>
</add>
</alter>
<!-- - - CP-2 - - -->
<alter control-id="cp-2">
<remove by-name="assessment-objective"/>
<remove by-name="assessment-method"/>
<add position="ending">
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="NSO"/>
<part name="guidance" class="FedRAMP-Tailored-LI-SaaS">
<p>NSO - Loss of availability of the SaaS has been determined as little or no impact to government business/mission needs.</p>
</part>
</add>
</alter>
<!-- - - CP-3 - - -->
<alter control-id="cp-3">
<remove by-name="assessment-objective"/>
<remove by-name="assessment-method"/>
<add position="ending">
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="NSO"/>
<part name="guidance" class="FedRAMP-Tailored-LI-SaaS">
<p>NSO - Loss of availability of the SaaS has been determined as little or no impact to government business/mission needs.</p>
</part>
</add>
</alter>
<!-- - - CP-4 - - -->
<alter control-id="cp-4">
<remove by-name="assessment-objective"/>
<remove by-name="assessment-method"/>
<add position="ending">
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="NSO"/>
<part name="guidance" class="FedRAMP-Tailored-LI-SaaS">
<p>NSO - Loss of availability of the SaaS has been determined as little or no impact to government business/mission needs.</p>
</part>
</add>
</alter>
<!-- - - CP-9 - - -->
<alter control-id="cp-9">
<add by-id="cp-9_smt" position="starting">
<prop ns="https://fedramp.gov/ns/oscal" name="response-point" value="Required"/>
</add>
<add position="ending">
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="ASSESS"/>
</add>
</alter>
<!-- - - CP-10 - - -->
<alter control-id="cp-10">
<remove by-name="assessment-objective"/>
<remove by-name="assessment-method"/>
<add position="ending">
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="NSO"/>
<part name="guidance" class="FedRAMP-Tailored-LI-SaaS">
<p>NSO - Loss of availability of the SaaS has been determined as little or no impact to government business/mission needs.</p>
</part>
</add>
</alter>
<!-- - - IA-1 - - -->
<alter control-id="ia-1">
<remove by-name="assessment-objective"/>
<remove by-name="assessment-method"/>
<add position="ending">
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="ATTEST"/>
</add>
</alter>
<!-- - - IA-2 - - -->
<alter control-id="ia-2">
<remove by-name="assessment-objective"/>
<remove by-name="assessment-method"/>
<add position="ending">
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="NSO"/>
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="ATTEST"/>
<part name="guidance" class="FedRAMP-Tailored-LI-SaaS">
<p>NSO for non-privileged users. Attestation for privileged users related to multi-factor identification and authentication - specifically include description of management of service accounts.</p>
</part>
</add>
</alter>
<!-- - - IA-2 (1) - - -->
<alter control-id="ia-2.1">
<add by-id="ia-2.1_smt" position="starting">
<prop ns="https://fedramp.gov/ns/oscal" name="response-point" value="Required"/>
</add>
<add position="ending">
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="ASSESS"/>
<part id="ia-2.1_fr" name="item">
<title>IA-2(1) Additional FedRAMP Requirements and Guidance</title>
<part name="guidance" class="FedRAMP-Tailored-LI-SaaS">
<p>FedRAMP requires a minimum of multi-factor authentication for all Federal privileged users, if acceptance of PIV credentials is not supported. The implementation status and details of how this control is implemented must be clearly defined by the CSP.</p>
</part>
</part>
</add>
</alter>
<!-- - - IA-2 (2) - - -->
<alter control-id="ia-2.2">
<remove by-name="assessment-objective"/>
<remove by-name="assessment-method"/>
<add by-id="ia-2.2_smt" position="starting">
<prop ns="https://fedramp.gov/ns/oscal" name="response-point" value="Required"/>
</add>
<add position="ending">
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="ASSESS"/>
</add>
</alter>
<!-- - - IA-2 (8) - - -->
<alter control-id="ia-2.8">
<add by-id="ia-2.8_smt" position="starting">
<prop ns="https://fedramp.gov/ns/oscal" name="response-point" value="Required"/>
</add>
<add position="ending">
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="ASSESS"/>
</add>
</alter>
<!-- - - IA-2 (12) - - -->
<alter control-id="ia-2.12">
<add by-id="ia-2.12_smt" position="starting">
<prop ns="https://fedramp.gov/ns/oscal" name="response-point" value="Required"/>
</add>
<add position="ending">
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="ASSESS"/>
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="CONDITIONAL"/>
<part id="ia-2.12_obj_fr" name="objective">
<prop ns="https://fedramp.gov/ns/oscal" name="response-point" value="Required"/>
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="fedramp" value="EXAMINE"/>
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="fedramp" value="INTERVIEW"/>
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="fedramp" value="TEST"/>
<p>Determine if the information system:</p>
<ul>
<li>Accepts PIV credentials.</li>
<li>Electronically verifies PIV credentials.</li>
</ul>
</part>
</add>
</alter>
<!-- - - IA-4 - - -->
<alter control-id="ia-4">
<remove by-name="assessment-objective"/>
<remove by-name="assessment-method"/>
<add position="ending">
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="ATTEST"/>
</add>
</alter>
<!-- - - IA-5 - - -->
<alter control-id="ia-5">
<remove by-name="assessment-objective"/>
<remove by-name="assessment-method"/>
<add position="ending">
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="ATTEST"/>
</add>
</alter>
<!-- - - IA-5 (1) - - -->
<alter control-id="ia-5.1">
<remove by-name="assessment-objective"/>
<remove by-name="assessment-method"/>
<add position="ending">
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="ATTEST"/>
</add>
</alter>
<!-- - - IA-6 - - -->
<alter control-id="ia-6">
<add by-id="ia-6_smt" position="starting">
<prop ns="https://fedramp.gov/ns/oscal" name="response-point" value="Required"/>
</add>
<add position="ending">
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="ASSESS"/>
</add>
</alter>
<!-- - - IA-7 - - -->
<alter control-id="ia-7">
<remove by-name="assessment-objective"/>
<remove by-name="assessment-method"/>
<add by-id="ia-7_smt" position="starting">
<prop ns="https://fedramp.gov/ns/oscal" name="response-point" value="Required"/>
</add>
<add position="ending">
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="ASSESS"/>
</add>
</alter>
<!-- - - IA-8 - - -->
<alter control-id="ia-8">
<remove by-name="assessment-objective"/>
<remove by-name="assessment-method"/>
<add position="ending">
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="ATTEST"/>
</add>
</alter>
<!-- - - IA-8 (1) - - -->
<alter control-id="ia-8.1">
<add by-id="ia-8.1_smt" position="starting">
<prop ns="https://fedramp.gov/ns/oscal" name="response-point" value="Required"/>
</add>
<add position="ending">
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="ASSESS"/>
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="CONDITIONAL"/>
<part name="guidance" class="FedRAMP-Tailored-LI-SaaS">
<p>Condition: Must document and assess for privileged users. May attest to this control for non-privileged users. FedRAMP requires a minimum of multi-factor authentication for all Federal privileged users, if acceptance of PIV credentials is not supported. The implementation status and details of how this control is implemented must be clearly defined by the CSP.</p>
</part>
</add>
</alter>
<!-- - - IA-8 (2) - - -->
<alter control-id="ia-8.2">
<add by-id="ia-8.2_smt" position="starting">
<prop ns="https://fedramp.gov/ns/oscal" name="response-point" value="Required"/>
</add>
<add position="ending">
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="ASSESS"/>
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="CONDITIONAL"/>
<part name="guidance" class="FedRAMP-Tailored-LI-SaaS">
<p>Condition: Must document and assess for privileged users. May attest to this control for non-privileged users. FedRAMP requires a minimum of multi-factor authentication for all Federal privileged users, if acceptance of PIV credentials is not supported. The implementation status and details of how this control is implemented must be clearly defined by the CSP.</p>
</part>
</add>
</alter>
<!-- - - IA-8 (4) - - -->
<alter control-id="ia-8.4">
<remove by-name="assessment-objective"/>
<remove by-name="assessment-method"/>
<add position="ending">
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="ATTEST"/>
</add>
</alter>
<!-- - - IA-11 - - -->
<alter control-id="ia-11">
<remove by-name="assessment-objective"/>
<remove by-name="assessment-method"/>
<add position="ending">
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="ATTEST"/>
</add>
</alter>
<!-- - - IR-1 - - -->
<alter control-id="ir-1">
<remove by-name="assessment-objective"/>
<remove by-name="assessment-method"/>
<add position="ending">
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="ATTEST"/>
</add>
</alter>
<!-- - - IR-2 - - -->
<alter control-id="ir-2">
<remove by-name="assessment-objective"/>
<remove by-name="assessment-method"/>
<add position="ending">
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="ATTEST"/>
</add>
</alter>
<!-- - - IR-4 - - -->
<alter control-id="ir-4">
<add by-id="ir-4_smt" position="starting">
<prop ns="https://fedramp.gov/ns/oscal" name="response-point" value="Required"/>
</add>
<add position="ending">
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="ASSESS"/>
</add>
</alter>
<!-- - - IR-5 - - -->
<alter control-id="ir-5">
<remove by-name="assessment-objective"/>
<remove by-name="assessment-method"/>
<add position="ending">
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="ATTEST"/>
</add>
</alter>
<!-- - - IR-6 - - -->
<alter control-id="ir-6">
<add by-id="ir-6_smt" position="starting">
<prop ns="https://fedramp.gov/ns/oscal" name="response-point" value="Required"/>
</add>
<add position="ending">
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="ASSESS"/>
</add>
</alter>
<!-- - - IR-7 - - -->
<alter control-id="ir-7">
<remove by-name="assessment-objective"/>
<remove by-name="assessment-method"/>
<add position="ending">
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="ATTEST"/>
</add>
</alter>
<!-- - - IR-8 - - -->
<alter control-id="ir-8">
<remove by-name="assessment-objective"/>
<remove by-name="assessment-method"/>
<add position="ending">
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="ATTEST"/>
<part name="guidance" class="FedRAMP-Tailored-LI-SaaS">
<p>Attestation - Specifically attest to US-CERT compliance.</p>
</part>
</add>
</alter>
<!-- - - MA-1 - - -->
<alter control-id="ma-1">
<remove by-name="assessment-objective"/>
<remove by-name="assessment-method"/>
<add position="ending">
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="ATTEST"/>
</add>
</alter>
<!-- - - MA-2 - - -->
<alter control-id="ma-2">
<add by-id="ma-2_smt" position="starting">
<prop ns="https://fedramp.gov/ns/oscal" name="response-point" value="Required"/>
</add>
<add position="ending">
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="ASSESS"/>
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="CONDITIONAL"/>
<part name="guidance" class="FedRAMP-Tailored-LI-SaaS">
<p>Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.</p>
</part>
</add>
</alter>
<!-- - - MA-4 - - -->
<alter control-id="ma-4">
<remove by-name="assessment-objective"/>
<remove by-name="assessment-method"/>
<add position="ending">
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="ATTEST"/>
</add>
</alter>
<!-- - - MA-5 - - -->
<alter control-id="ma-5">
<add by-id="ma-5_smt" position="starting">
<prop ns="https://fedramp.gov/ns/oscal" name="response-point" value="Required"/>
</add>
<add position="ending">
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="ASSESS"/>
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="CONDITIONAL"/>
<part name="guidance" class="FedRAMP-Tailored-LI-SaaS">
<p>Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.</p>
</part>
</add>
</alter>
<!-- - - MP-1 - - -->
<alter control-id="mp-1">
<remove by-name="assessment-objective"/>
<remove by-name="assessment-method"/>
<add position="ending">
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="ATTEST"/>
</add>
</alter>
<!-- - - MP-2 - - -->
<alter control-id="mp-2">
<add by-id="mp-2_smt" position="starting">
<prop ns="https://fedramp.gov/ns/oscal" name="response-point" value="Required"/>
</add>
<add position="ending">
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="ASSESS"/>
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="CONDITIONAL"/>
<part name="guidance" class="FedRAMP-Tailored-LI-SaaS">
<p>Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.</p>
</part>
</add>
</alter>
<!-- - - MP-6 - - -->
<alter control-id="mp-6">
<add by-id="mp-6_smt" position="starting">
<prop ns="https://fedramp.gov/ns/oscal" name="response-point" value="Required"/>
</add>
<add position="ending">
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="ASSESS"/>
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="CONDITIONAL"/>
<part name="guidance" class="FedRAMP-Tailored-LI-SaaS">
<p>Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.</p>
</part>
</add>
</alter>
<!-- - - MP-7 - - -->
<alter control-id="mp-7">
<add by-id="mp-7_smt" position="starting">
<prop ns="https://fedramp.gov/ns/oscal" name="response-point" value="Required"/>
</add>
<add position="ending">
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="ASSESS"/>
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="CONDITIONAL"/>
<part name="guidance" class="FedRAMP-Tailored-LI-SaaS">
<p>Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.</p>
</part>
</add>
</alter>
<!-- - - PE-1 - - -->
<alter control-id="pe-1">
<remove by-name="assessment-objective"/>
<remove by-name="assessment-method"/>
<add position="ending">
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="ATTEST"/>
</add>
</alter>
<!-- - - PE-2 - - -->
<alter control-id="pe-2">
<add by-id="pe-2_smt" position="starting">
<prop ns="https://fedramp.gov/ns/oscal" name="response-point" value="Required"/>
</add>
<add position="ending">
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="ASSESS"/>
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="CONDITIONAL"/>
<part name="guidance" class="FedRAMP-Tailored-LI-SaaS">
<p>Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.</p>
</part>
</add>
</alter>
<!-- - - PE-3 - - -->
<alter control-id="pe-3">
<add by-id="pe-3_smt" position="starting">
<prop ns="https://fedramp.gov/ns/oscal" name="response-point" value="Required"/>
</add>
<add position="ending">
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="ASSESS"/>
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="CONDITIONAL"/>
<part name="guidance" class="FedRAMP-Tailored-LI-SaaS">
<p>Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.</p>
</part>
</add>
</alter>
<!-- - - PE-6 - - -->
<alter control-id="pe-6">
<add by-id="pe-6_smt" position="starting">
<prop ns="https://fedramp.gov/ns/oscal" name="response-point" value="Required"/>
</add>
<add position="ending">
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="ASSESS"/>
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="CONDITIONAL"/>
<part name="guidance" class="FedRAMP-Tailored-LI-SaaS">
<p>Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.</p>
</part>
</add>
</alter>
<!-- - - PE-8 - - -->
<alter control-id="pe-8">
<add by-id="pe-8_smt" position="starting">
<prop ns="https://fedramp.gov/ns/oscal" name="response-point" value="Required"/>
</add>
<add position="ending">
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="ASSESS"/>
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="CONDITIONAL"/>
<part name="guidance" class="FedRAMP-Tailored-LI-SaaS">
<p>Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.</p>
</part>
</add>
</alter>
<!-- - - PE-12 - - -->
<alter control-id="pe-12">
<add by-id="pe-12_smt" position="starting">
<prop ns="https://fedramp.gov/ns/oscal" name="response-point" value="Required"/>
</add>
<add position="ending">
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="ASSESS"/>
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="CONDITIONAL"/>
<part name="guidance" class="FedRAMP-Tailored-LI-SaaS">
<p>Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.</p>
</part>
</add>
</alter>
<!-- - - PE-13 - - -->
<alter control-id="pe-13">
<add by-id="pe-13_smt" position="starting">
<prop ns="https://fedramp.gov/ns/oscal" name="response-point" value="Required"/>
</add>
<add position="ending">
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="ASSESS"/>
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="CONDITIONAL"/>
<part name="guidance" class="FedRAMP-Tailored-LI-SaaS">
<p>Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.</p>
</part>
</add>
</alter>
<!-- - - PE-14 - - -->
<alter control-id="pe-14">
<add by-id="pe-14_smt" position="starting">
<prop ns="https://fedramp.gov/ns/oscal" name="response-point" value="Required"/>
</add>
<add position="ending">
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="ASSESS"/>
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="CONDITIONAL"/>
<part name="guidance" class="FedRAMP-Tailored-LI-SaaS">
<p>Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.</p>
</part>
</add>
<add by-id="pe-14_smt" position="ending">
<part id="pe-14_fr" name="item">
<title>PE-14(a) Additional FedRAMP Requirements and Guidance</title>
<part id="pe-14_fr_smt.a" name="item">
<prop name="label" value="(a) Requirement:"/>
<p>The service provider measures temperature at server inlets and humidity levels by dew point.</p>
</part>
</part>
</add>
</alter>
<!-- - - PE-15 - - -->
<alter control-id="pe-15">
<add by-id="pe-15_smt" position="starting">
<prop ns="https://fedramp.gov/ns/oscal" name="response-point" value="Required"/>
</add>
<add position="ending">
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="ASSESS"/>
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="CONDITIONAL"/>
<part name="guidance" class="FedRAMP-Tailored-LI-SaaS">
<p>Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.</p>
</part>
</add>
</alter>
<!-- - - PE-16 - - -->
<alter control-id="pe-16">
<add by-id="pe-16_smt" position="starting">
<prop ns="https://fedramp.gov/ns/oscal" name="response-point" value="Required"/>
</add>
<add position="ending">
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="ASSESS"/>
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="CONDITIONAL"/>
<part name="guidance" class="FedRAMP-Tailored-LI-SaaS">
<p>Condition: Control is not inherited from a FedRAMP-authorized PaaS or IaaS.</p>
</part>
</add>
</alter>
<!-- - - PL-1 - - -->
<alter control-id="pl-1">
<remove by-name="assessment-objective"/>
<remove by-name="assessment-method"/>
<add position="ending">
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="ATTEST"/>
</add>
</alter>
<!-- - - PL-2 - - -->
<alter control-id="pl-2">
<add by-id="pl-2_smt" position="starting">
<prop ns="https://fedramp.gov/ns/oscal" name="response-point" value="Required"/>
</add>
<add position="ending">
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="ASSESS"/>
</add>
</alter>
<!-- - - PL-4 - - -->
<alter control-id="pl-4">
<remove by-name="assessment-objective"/>
<remove by-name="assessment-method"/>
<add position="ending">
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="ATTEST"/>
</add>
</alter>
<!-- - - PL-4(1) - -->
<alter control-id="pl-4.1">
<remove by-name="assessment-objective"/>
<remove by-name="assessment-method"/>
<add position="ending">
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="ATTEST"/>
</add>
</alter>
<!-- - - PL-8 - -->
<alter control-id="pl-8">
<add by-id="pl-8_smt" position="starting">
<prop ns="https://fedramp.gov/ns/oscal" name="response-point" value="Required"/>
</add>
<add position="ending">
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="ASSESS"/>
</add>
</alter>
<!-- - - PL-10 - - -->
<alter control-id="pl-10">
<remove by-name="assessment-objective"/>
<remove by-name="assessment-method"/>
<add position="ending">
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="ATTEST"/>
</add>
</alter>
<!-- - - PL-11 - - -->
<alter control-id="pl-11">
<remove by-name="assessment-objective"/>
<remove by-name="assessment-method"/>
<add position="ending">
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="ATTEST"/>
</add>
</alter>
<!-- - - PS-1 - - -->
<alter control-id="ps-1">
<remove by-name="assessment-objective"/>
<remove by-name="assessment-method"/>
<add position="ending">
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="ATTEST"/>
</add>
</alter>
<!-- - - PS-2 - - -->
<alter control-id="ps-2">
<remove by-name="assessment-objective"/>
<remove by-name="assessment-method"/>
<add position="ending">
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="FED"/>
</add>
</alter>
<!-- - - PS-3 - - -->
<alter control-id="ps-3">
<add by-id="ps-3_smt" position="starting">
<prop ns="https://fedramp.gov/ns/oscal" name="response-point" value="Required"/>
</add>
<add position="ending">
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="ASSESS"/>
</add>
</alter>
<!-- - - PS-4 - - -->
<alter control-id="ps-4">
<remove by-name="assessment-objective"/>
<remove by-name="assessment-method"/>
<add position="ending">
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="ATTEST"/>
</add>
</alter>
<!-- - - PS-5 - - -->
<alter control-id="ps-5">
<remove by-name="assessment-objective"/>
<remove by-name="assessment-method"/>
<add position="ending">
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="ATTEST"/>
</add>
</alter>
<!-- - - PS-6 - - -->
<alter control-id="ps-6">
<remove by-name="assessment-objective"/>
<remove by-name="assessment-method"/>
<add position="ending">
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="ATTEST"/>
</add>
</alter>
<!-- - - PS-7 - - -->
<alter control-id="ps-7">
<remove by-name="assessment-objective"/>
<remove by-name="assessment-method"/>
<add position="ending">
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="ATTEST"/>
<part name="guidance" class="FedRAMP-Tailored-LI-SaaS">
<p>Attestation - Specifically stating that any third-party security personnel are treated as CSP employees.</p>
</part>
</add>
</alter>
<!-- - - PS-8 - - -->
<alter control-id="ps-8">
<remove by-name="assessment-objective"/>
<remove by-name="assessment-method"/>
<add position="ending">
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="ATTEST"/>
</add>
</alter>
<!-- - - PS-9 - - -->
<alter control-id="ps-9">
<remove by-name="assessment-objective"/>
<remove by-name="assessment-method"/>
<add position="ending">
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="ATTEST"/>
</add>
</alter>
<!-- - - RA-1 - - -->
<alter control-id="ra-1">
<remove by-name="assessment-objective"/>
<remove by-name="assessment-method"/>
<add position="ending">
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="ATTEST"/>
</add>
</alter>
<!-- - - RA-2 - - -->
<alter control-id="ra-2">
<remove by-name="assessment-objective"/>
<remove by-name="assessment-method"/>
<add by-id="ra-2_smt" position="starting">
<prop ns="https://fedramp.gov/ns/oscal" name="response-point" value="Required"/>
</add>
<add position="ending">
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="ASSESS"/>
</add>
</alter>
<!-- - - RA-3 - - -->
<alter control-id="ra-3">
<add by-id="ra-3_smt" position="starting">
<prop ns="https://fedramp.gov/ns/oscal" name="response-point" value="Required"/>
</add>
<add position="ending">
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="ASSESS"/>
</add>
</alter>
<!-- - - RA-3(1) - -->
<alter control-id="ra-3.1">
<remove by-name="assessment-objective"/>
<remove by-name="assessment-method"/>
<add position="ending">
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="ATTEST"/>
</add>
</alter>
<!-- - - RA-5 - - -->
<alter control-id="ra-5">
<add by-id="ra-5_smt" position="starting">
<prop ns="https://fedramp.gov/ns/oscal" name="response-point" value="Required"/>
</add>
<add position="ending">
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="ASSESS"/>
</add>
</alter>
<!-- - - RA-5(2) - -->
<alter control-id="ra-5.2">
<add by-id="ra-5.2_smt" position="starting">
<prop ns="https://fedramp.gov/ns/oscal" name="response-point" value="Required"/>
</add>
<add position="ending">
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="ASSESS"/>
</add>
</alter>
<!-- - - RA-5(11) - -->
<alter control-id="ra-5.11">
<add by-id="ra-5.11_smt" position="starting">
<prop ns="https://fedramp.gov/ns/oscal" name="response-point" value="Required"/>
</add>
<add position="ending">
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="ASSESS"/>
</add>
</alter>
<!-- - - RA-7 - - -->
<alter control-id="ra-7">
<add by-id="ra-7_smt" position="starting">
<prop ns="https://fedramp.gov/ns/oscal" name="response-point" value="Required"/>
</add>
<add position="ending">
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="ASSESS"/>
</add>
</alter>
<!-- - - SA-1 - - -->
<alter control-id="sa-1">
<remove by-name="assessment-objective"/>
<remove by-name="assessment-method"/>
<add position="ending">
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="ATTEST"/>
</add>
</alter>
<!-- - - SA-2 - - -->
<alter control-id="sa-2">
<remove by-name="assessment-objective"/>
<remove by-name="assessment-method"/>
<add position="ending">
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="ATTEST"/>
</add>
</alter>
<!-- - - SA-3 - - -->
<alter control-id="sa-3">
<remove by-name="assessment-objective"/>
<remove by-name="assessment-method"/>
<add position="ending">
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="ATTEST"/>
</add>
</alter>
<!-- - - SA-4 - - -->
<alter control-id="sa-4">
<remove by-name="assessment-objective"/>
<remove by-name="assessment-method"/>
<add position="ending">
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="ATTEST"/>
</add>
</alter>
<!-- - - SA-4(10) - - -->
<alter control-id="sa-4.10">
<remove by-name="assessment-objective"/>
<remove by-name="assessment-method"/>
<add position="ending">
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="ATTEST"/>
</add>
</alter>
<!-- - - SA-5 - - -->
<alter control-id="sa-5">
<remove by-name="assessment-objective"/>
<remove by-name="assessment-method"/>
<add position="ending">
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="ATTEST"/>
</add>
</alter>
<!-- - - SA-8 - - -->
<alter control-id="sa-8">
<remove by-name="assessment-objective"/>
<remove by-name="assessment-method"/>
<add position="ending">
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="ATTEST"/>
</add>
</alter>
<!-- - - SA-9 - - -->
<alter control-id="sa-9">
<add by-id="sa-9_smt" position="starting">
<prop ns="https://fedramp.gov/ns/oscal" name="response-point" value="Required"/>
</add>
<add position="ending">
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="ASSESS"/>
</add>
</alter>
<!-- - - SA-22 - - -->
<alter control-id="sa-22">
<add by-id="sa-22_smt" position="starting">
<prop ns="https://fedramp.gov/ns/oscal" name="response-point" value="Required"/>
</add>
<add position="ending">
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="ASSESS"/>
</add>
</alter>
<!-- - - SC-1 - - -->
<alter control-id="sc-1">
<remove by-name="assessment-objective"/>
<remove by-name="assessment-method"/>
<add position="ending">
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="ATTEST"/>
</add>
</alter>
<!-- - - SC-5 - - -->
<alter control-id="sc-5">
<add by-id="sc-5_smt" position="starting">
<prop ns="https://fedramp.gov/ns/oscal" name="response-point" value="Required"/>
</add>
<add position="ending">
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="ASSESS"/>
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="CONDITIONAL"/>
<part name="guidance" class="FedRAMP-Tailored-LI-SaaS">
<p>Condition: If availability is a requirement, define protections in place as per control requirement.</p>
</part>
</add>
</alter>
<!-- - - SC-7 - - -->
<alter control-id="sc-7">
<add by-id="sc-7_smt" position="starting">
<prop ns="https://fedramp.gov/ns/oscal" name="response-point" value="Required"/>
</add>
<add position="ending">
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="ASSESS"/>
</add>
</alter>
<!-- - - SC-8 - -->
<alter control-id="sc-8">
<add by-id="sc-8_smt" position="starting">
<prop ns="https://fedramp.gov/ns/oscal" name="response-point" value="Required"/>
</add>
<add position="ending">
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="ASSESS"/>
</add>
</alter>
<!-- - - SC-8(1) - -->
<alter control-id="sc-8.1">
<add by-id="sc-8.1_smt" position="starting">
<prop ns="https://fedramp.gov/ns/oscal" name="response-point" value="Required"/>
</add>
<add position="ending">
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="ASSESS"/>
</add>
</alter>
<!-- - - SC-12 - - -->
<alter control-id="sc-12">
<add by-id="sc-12_smt" position="starting">
<prop ns="https://fedramp.gov/ns/oscal" name="response-point" value="Required"/>
</add>
<add position="ending">
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="ASSESS"/>
</add>
</alter>
<!-- - - SC-13 - - -->
<alter control-id="sc-13">
<add by-id="sc-13_smt" position="starting">
<prop ns="https://fedramp.gov/ns/oscal" name="response-point" value="Required"/>
</add>
<add position="ending">
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="ASSESS"/>
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="CONDITIONAL"/>
<part name="guidance" class="FedRAMP-Tailored-LI-SaaS">
<p>Condition: If implementing need to detail how they meet it or don't meet it.</p>
</part>
</add>
</alter>
<!-- - - SC-15 - - -->
<alter control-id="sc-15">
<remove by-name="assessment-objective"/>
<remove by-name="assessment-method"/>
<add position="ending">
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="NSO"/>
<part name="guidance" class="FedRAMP-Tailored-LI-SaaS">
<p>NSO - Not directly related to the security of the SaaS.</p>
</part>
</add>
</alter>
<!-- - - SC-20 - - -->
<alter control-id="sc-20">
<remove by-name="assessment-objective"/>
<remove by-name="assessment-method"/>
<add position="ending">
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="ATTEST"/>
</add>
</alter>
<!-- - - SC-21 - - -->
<alter control-id="sc-21">
<remove by-name="assessment-objective"/>
<remove by-name="assessment-method"/>
<add position="ending">
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="ATTEST"/>
</add>
</alter>
<!-- - - SC-22 - - -->
<alter control-id="sc-22">
<remove by-name="assessment-objective"/>
<remove by-name="assessment-method"/>
<add position="ending">
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="ATTEST"/>
</add>
</alter>
<!-- - - SC-28 - -->
<alter control-id="sc-28">
<add by-id="sc-28_smt" position="starting">
<prop ns="https://fedramp.gov/ns/oscal" name="response-point" value="Required"/>
</add>
<add position="ending">
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="ASSESS"/>
</add>
</alter>
<!-- - - SC-28(1) - -->
<alter control-id="sc-28.1">
<add by-id="sc-28.1_smt" position="starting">
<prop ns="https://fedramp.gov/ns/oscal" name="response-point" value="Required"/>
</add>
<add position="ending">
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="ASSESS"/>
</add>
</alter>
<!-- - - SC-39 - - -->
<alter control-id="sc-39">
<remove by-name="assessment-objective"/>
<remove by-name="assessment-method"/>
<add position="ending">
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="ATTEST"/>
</add>
</alter>
<!-- - - SI-1 - - -->
<alter control-id="si-1">
<remove by-name="assessment-objective"/>
<remove by-name="assessment-method"/>
<add position="ending">
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="ATTEST"/>
</add>
</alter>
<!-- - - SI-2 - - -->
<alter control-id="si-2">
<add by-id="si-2_smt" position="starting">
<prop ns="https://fedramp.gov/ns/oscal" name="response-point" value="Required"/>
</add>
<add position="ending">
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="ASSESS"/>
</add>
</alter>
<!-- - - SI-3 - - -->
<alter control-id="si-3">
<add by-id="si-3_smt" position="starting">
<prop ns="https://fedramp.gov/ns/oscal" name="response-point" value="Required"/>
</add>
<add position="ending">
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="ASSESS"/>
</add>
</alter>
<!-- - - SI-4 - - -->
<alter control-id="si-4">
<add by-id="si-4_smt" position="starting">
<prop ns="https://fedramp.gov/ns/oscal" name="response-point" value="Required"/>
</add>
<add position="ending">
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="ASSESS"/>
</add>
</alter>
<!-- - - SI-5 - - -->
<alter control-id="si-5">
<remove by-name="assessment-objective"/>
<remove by-name="assessment-method"/>
<add position="ending">
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="ATTEST"/>
</add>
</alter>
<!-- - - SI-12 - - -->
<alter control-id="si-12">
<remove by-name="assessment-objective"/>
<remove by-name="assessment-method"/>
<add position="ending">
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="ATTEST"/>
<part name="guidance" class="FedRAMP-Tailored-LI-SaaS">
<p>Attestation - Specifically related to US-CERT and FedRAMP communications procedures.</p>
</part>
</add>
</alter>
<!-- - - SR-1 - - -->
<alter control-id="sr-1">
<remove by-name="assessment-objective"/>
<remove by-name="assessment-method"/>
<add position="ending">
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="ATTEST"/>
</add>
</alter>
<!-- - - SR-2 - - -->
<alter control-id="sr-2">
<remove by-name="assessment-objective"/>
<remove by-name="assessment-method"/>
<add position="ending">
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="ATTEST"/>
</add>
</alter>
<!-- - - SR-2(1) - -->
<alter control-id="sr-2.1">
<remove by-name="assessment-objective"/>
<remove by-name="assessment-method"/>
<add position="ending">
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="ATTEST"/>
</add>
</alter>
<!-- - - SR-3 - - -->
<alter control-id="sr-3">
<remove by-name="assessment-objective"/>
<remove by-name="assessment-method"/>
<add position="ending">
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="ATTEST"/>
</add>
</alter>
<!-- - - SR-5 - - -->
<alter control-id="sr-5">
<remove by-name="assessment-objective"/>
<remove by-name="assessment-method"/>
<add position="ending">
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="ATTEST"/>
</add>
</alter>
<!-- - - SR-8 - - -->
<alter control-id="sr-8">
<remove by-name="assessment-objective"/>
<remove by-name="assessment-method"/>
<add position="ending">
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="ATTEST"/>
</add>
</alter>
<!-- - - SR-10 - - -->
<alter control-id="sr-10">
<remove by-name="assessment-objective"/>
<remove by-name="assessment-method"/>
<add position="ending">
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="ATTEST"/>
</add>
</alter>
<!-- - - SR-11 - - -->
<alter control-id="sr-11">
<remove by-name="assessment-objective"/>
<remove by-name="assessment-method"/>
<add position="ending">
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="ATTEST"/>
</add>
</alter>
<!-- - - SR-11(1) - -->
<alter control-id="sr-11.1">
<remove by-name="assessment-objective"/>
<remove by-name="assessment-method"/>
<add position="ending">
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="ATTEST"/>
</add>
</alter>
<!-- - - SR-11(2) - -->
<alter control-id="sr-11.2">
<remove by-name="assessment-objective"/>
<remove by-name="assessment-method"/>
<add position="ending">
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="ATTEST"/>
</add>
</alter>
<!-- - - SR-12 - - -->
<alter control-id="sr-12">
<remove by-name="assessment-objective"/>
<remove by-name="assessment-method"/>
<add position="ending">
<prop ns="https://fedramp.gov/ns/oscal" name="method" class="FedRAMP-Tailored-LI-SaaS" value="ATTEST"/>
</add>
</alter>
</modify>
<back-matter>
<resource uuid="985475ee-d4d6-4581-8fdf-d84d3d8caa48">
<title>FedRAMP Applicable Laws and Regulations</title>
<rlink href="https://www.fedramp.gov/assets/resources/templates/SSP-A12-FedRAMP-Laws-and-Regulations-Template.xlsx"/>
</resource>
<resource uuid="a2381e87-3d04-4108-a30b-b4d2f36d001f">
<description>
<p>FedRAMP Logo</p>
</description>
<prop name="type" value="logo"/>
<rlink href="https://www.fedramp.gov/assets/img/logo-main-fedramp.png"/>
</resource>
<resource uuid="051a77c1-b61d-4995-8275-dacfe688d510">
<title>NIST Special Publication (SP) 800-53 revision 5</title>
<prop name="version" value="5.1.1"/>
<rlink media-type="application/oscal+xml" href="NIST_SP-800-53_rev5_catalog.xml"/>
</resource>
</back-matter>
</profile>